Due to the proliferation of smart phones, it is possible to easily install applications (apps) on smart phones. An owner of a smart phone can be specified through mobile terminal device information of a smart phone on which an app is installed. In this way, authentication for specifying a user is possible through only device authentication without inputting an identification (ID)/password.
However, after acquiring an app development source, it is possible to tamper the app and reinstall (repackage) the tampered app. To prevent app tampering, app stores recommend developers to obfuscate sources before releasing apps.
Also, a mobile banking app is being widespread, and various kinds of important information such as authentication information for banking may be leaked when a tampering app is executed. Therefore, there is a technology for verifying integrity of an app in conjunction with a tampering detection server when the app is executed.
Meanwhile, as a technology regarding an application for providing authentication, joining, and payment services using a mobile communication terminal, Korean Unexamined Patent Publication No. 10-2013-0112786 “Application for Authentication, Membership Registration, and Payment Services Based on Mobile Communication Terminal (Kim Juhan)” (Literature 1) discloses a technology for acquiring data through a quick response (QR) code or near field communication (NFC) with an app installed on a mobile terminal and transferring data of an agreed format by running an authentication app or transferring the data of the agreed format (see FIG. 7) by running an authentication app in a mobile web browser of the mobile terminal when the acquired data is the data of the agreed format such that authentication, joining, and payment may be performed in a client terminal without inputting any ID or password.
However, an app installed on a smart phone may be analyzed through reverse engineering (decompiling), and then a source code thereof may be extracted. Even when source codes are obfuscated, it is not possible to ensure that obfuscation technology is always perfect, and it is likely that a source code will be leaked by an internal developer. When a source code is analyzed, a parameter type transferred to an authentication proxy server and an encryption algorithm may be obtained. Therefore, it is possible to set and encrypt fake data in a parameter and transfer the fake data to the authentication proxy server.
Also, in some mobile operating systems (OSs), it is possible to collect device information of app users through an app.
A malicious attacker acquires a password and device information of a person who is a target for an attack and then installs a tampered app whose parameter can be tampered on a smart phone of the attacker. Subsequently, collected device information is set in a parameter, and authentication is attempted, such that the malicious attacker may be authenticated with the set device information by an authentication proxy server.
The mobile banking app requires a separate tampering detection system because it is necessary to check integrity of the app in conjunction with a tampering detection server immediately after the app is executed. However, if possible, it would be better to detect tampering of apps without a separate tampering detection system.